When the Kingdom of Saudi Arabia (KSA) was the subject of multiple drone and missile attacks on its vast oil infrastructure in September (2019), the news sent shockwaves through the oil sector as well as geopolitical circles.

Strikes hit the country’s Abqaiq oil facility and its Khurais oil field in the high-profile attack, with reports varying as to the impact on operations. Some reports describe the country’s oil output as falling by just over one million barrels per day, while others initially suggested this figure was much higher at as much as five million barrels per day at its peak, as a result of the attacks.

Though operations are yet to return to their pre-attack levels, almost one later, the Kingdom responded with remarkable speed and agility, reportedly ramping its Abqaiq facility back up to two million barrels per day within just 48 hours of the attack – and emphasising its position as a stronghold for oil and gas activity. Saudi Arabia is the world’s largest exporter of oil and within mere weeks had recovered its exports to around nine million barrels per day or above.

But the attacks have potentially left a lasting legacy in terms of security and how vulnerable such infrastructure is to cyber attack. Here in this MENA Series special, we look at the sensitive path forward the region finds itself navigating.

High stakes

Tensions, as well as the stakes, are high in the Middle East. Whilst nothing new, the complexities of the region and its territories, not to mention its political and religious nuances, have been visibly heightened in recent times with incidents such as the Qatar embargo by Saudi Arabia and its allies (UAE, Bahrain, Egypt, Yemen, and the Maldives), the escalation of military tensions between the US and Iran and the former’s withdrawal from the Joint Comprehensive Plant of Action (JCPOA), and of course the aforementioned attacks on Saudi Arabia’s oil infrastructure.

The question is, will the current geopolitical situation in the region get worse?

According to geopolitical intelligence advisory service the Luminae Group, yes it will. “The current debacle with Turkey’s incursion in northern Syria is adding another layer of complexity and violence to an already fraught region,” says Managing Partner and Principal, Heather Heldman, “and in the coming months, is likely to intensify and complicate debate about control of energy markets and resources in Syria and Iraq.”

“In the short-term, this conflict will serve as a distraction to Iran’s behaviour, which was previously dominating foreign policy discourse in the West. In the longer term, this incursion is likely to delay Iran’s ability to recoup the investments it has made in Syria over the last few years to prop up the Assad regime, which may lead to significant political complications for the Iranian regime.”

computer-2786081_960_720

Though the Houthi movement in Yemen claimed responsibility, the assertion of many is that the attacks on Saudi Arabia’s oil facilities in September had Iranian involvement and are the result of this complex geopolitical balance in the region. Which begs the question, can we expect to see more attacks on the oil and gas industry in the Middle East, both physical and cyber in nature?

Heldman believes it’s a possibility. “Turning up the intensity of an ongoing cyber warfare campaign or launching a particularly insidious cyber attack now, in what is still the immediate aftermath of the recent attack on Saudi oil infrastructure, makes a lot of sense from both the Iranian and American perspectives (and by association the perspective of the US’ allies in the Gulf),” she says.

“Such a course of action has the potential to do significant damage to infrastructure, including to oil and natural gas infrastructure, by and large does not pose an immediate threat to human life in the same way that conventional military action does, and maintains plausible deniability (at least for a period of time – this may last longer for some nations than it does for others).”

“However, all of the players involved have an incentive to use cyber attacks judiciously,” she adds. “Part of the reason for this is that if the use of cyber attacks becomes more routine, we risk normalising this activity and losing the element of restraint that has generally prevailed between nations in times of high tension to date. Such a change would ratchet up the already large threat that instability and violence in the Middle East pose to Western businesses and infrastructure.”

Cyber attacks

As the 2019 Persian Gulf Crisis, as well as other regional tensions, continues to escalate then, what exactly are the most immediate cyber threats to oil and gas companies, and infrastructure?

“Oil and gas companies face a variety of threats from hackers, but what we’re most likely to see in the short-term are attacks on the front-end Windows networks of these companies and their facilities to disrupt operations,” says David Kennedy, Founder and CEO of information security consulting team, TrustedSec.

“These attacks can run the gamut from distributed denial-of-service (DDoS), which attempts to disable a network by overwhelming it, to malware attacks using ‘wipers’ or ransomware, which will be even more disruptive by permanently disabling or erasing wide swathes of computers and other connected devices.”

Kennedy cites various examples of such attacks in the past, from the 2011-2013 DDoS attacks on the US banking system to the 2012 Shamoon wiper attack on Saudi Aramco, which ‘bricked’ around 30,000 computers and forced the company to suspend many of its operations.

So, with all of this in mind, should we be worried?

“The oil and gas sector should also be worried about phishing and malware attacks which will attempt to steal employee user IDs and credentials in order to gain inside access to the company’s networks and controls,” Kennedy responds. “This type of attack is a precursor to a much more significant and potentially damaging cyber attack, as once the attacker has access to administrative controls and accounts, s/he can do almost anything.”

“Additionally, we could also see hackers carry out financial attacks against these companies, as a way of harassing them or destabilising them. Banking trojans can be highly effective here.”

“Lastly, of course,” he adds, “there is the risk of a cyber kinetic attack — that is a digital attack which has a physical consequence, like causing machinery to malfunction and cause damage or de-energising critical facilities.”

oil refinery at sunset

Source: AGC Instruments

An example for this latter scenario would be a plant’s industrial control systems (ICS), something that could resonate beyond the oil and gas sector and, potentially, with the industrial gases industry too. In the current situation, the oil and gas sector should consider ICS to be a target, Kennedy says, and this needs to be ‘closely monitored’.

Initially, attackers would most likely breach these systems in order to carry out surveillance, reconnaissance and to put in place backdoors they can use later on to gain remote access, he explains.

“The initial phase of an attack will be focused on studying the networks and figuring out where a future attack would do the most damage. Therefore, oil and gas companies may not notice any malicious activity in these earlier breaches — so it is very important that they have monitoring systems in place to detect any unauthorised access or movement within the ICS or any systems that connect to ICS.”

Such vulnerability is a concern at any time, let alone during a period of ever-escalating tensions and political jousting. Oil and gas companies – as well as others – clearly need to be vigilant and build multi-layered defences that can protect all critical operations, from the front-office to the ICS environment. “…we could see hackers become much more aggressive, and willing to sustain serious physical damage,” Kennedy concludes.

“Remember, nothing is off limits…”